data: in the browser address bar may indicate a phishing site

Phishing just like spam and the creation of malicious software in general is a cat and mouse game. When malicious code or attacks hit the web they work for a while before they are properly detected by security software. When that happens, they are modified or redesigned or build from scratch so that they are not detected anymore, which in turn requires security companies to create new protection mechanisms.

Phishing attacks are fairly common on the web. They are used to get information from users who fall prey to them. This may include authentication information for popular web services such as Gmail, Facebook or PayPal, but also other personal information such as credit card numbers or social security IDs.

A recent trend is the use of data: uniform resource identifiers (URIs). The Hot for Security blog describes one of the attacks targeting Chrome users and their Google login in particular.

The attack begins with a mail, which is the dominant way that phishing attacks begin. Users are reminded in that email that they will be locked out of their account due to email storage quote issues in the next 24 hour period unless they increase their email storage automatically by clicking on the provided link.

As you may have guessed already, that link opens a page in the browser. What is new here is that it uses a data: URI to display contents.

The data URI scheme can be used to combine several web elements into a single HTTP request. Since information are encoded, it is not immediately clear if you are on a legitimate page or not, as you cannot just check if you see google.com in the address bar or not.

While the absence of that is an indicator that something is wrong, it is likely that at least some users won't realize that at all.

Chrome is targeted specifically according to the article because it is not displaying the full address in its address bar.

There are quite a few indicators why this is not a legitimate request. If you check the email, you will notice that the from address is not listing a google.com address.

The second indicator is the data: url that is not used by Google or Gmail at all. And the third and final that the page is not using a secure connection.

So what can you do if you encounter such an email and don't know if it is legitimate or not?

Check the from address but do not trust it too much. If it does not use a company domain, it is almost certain that it originated from a third-party.

If the email contains links, hover your mouse over the link but do not click on it. If you see an address that is not on a company domain, it is almost certain it is a phishing email.

If you are still not convinced, visit the website directly by opening your browser and typing it in manually. Important information should be displayed to you on start. If that is not the case, ignore the message.

Summary

Article Name

data: in the browser address bar may indicate a phishing site

Description

If you see data: in the address bar, especially after you have clicked on a link in an email, you may be on a phishing website.

Author

Martin Brinkmann

Please share this article

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.You can follow Martin on Facebook, Twitter or Google+

"...visit the website directly by opening your browser and typing it in manually" -- And maybe do that in a browser that's well-secured against Javascript, Java, insecure plug-ins like Flash and Acrobat, etc.

Popular Deals

About Ghacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.